Equifax Breach Puts Credit Bureaus' Oversight In Question

Equifax spent over $1 million last year on lobbying efforts, according to data compiled by the Center for Responsive Politics.

Mike Stewart
/ AP

Listen

Listening...

/

Originally published on September 22, 2017 6:29 am

Updated at 11:55 p.m. ET

The Equifax data breach exposed the personal information of an estimated 143 million Americans. It has led to a lawsuit against the company by the state of Massachusetts, an investigation by the Federal Trade Commission and the promise of congressional hearings. The episode, though, has revealed that up until now, the big three credit reporting companies have had a lot of clout in Washington, D.C., analysts say.

The credit reporting companies have to comply with rules set by the Federal Trade Commission and the Consumer Financial Protection Bureau, which regulate how the companies can sell your financial data to other companies.

But protecting that data is a kind of regulatory black hole. There is very little oversight — compared to banks, for example, says Rohit Chopra, a former assistant director of the CFPB. "To maintain a national bank license, banks have to prove that their standards are up to snuff," he says, "but credit reporting agencies don't face that same level of oversight, even though they hold dataon the majority of American adults."

Chopra says what he calls the "meltdown at Equifax should be a wake-up call" to consumers about the outsized role credit reporting companies play "without our consent."

Chopra is now a senior fellow at the Consumer Federation of America, where he wrote up advice for those affected by the breach. Chopra says there are few rules protecting consumers' data or that require credit bureaus to immediately notify consumers in the event of a breach. It took Equifax some six weeks to reveal the hack, and the company left it up to consumers to try to find out if their data had been stolen.

Chopra says people have little control over their information, and that with credit bureaus, "in some ways you're not the customer, you're the product."

And Ed Mierzwinski of U.S. PIRG (Public Interest Research Group) says when it comes to choosing a credit bureau, consumers have no choice. "If you don't like AT&T or Verizon, you can go to T-Mobile, you can take your business elsewhere, you vote with your feet. You can't vote with your feet with a credit bureau," he says. "You're stuck with them."

Mierzwinski says the credit bureaus have fought attempts to make them more transparent. The three companies, Equifax, Experian and TransUnion, spent nearly $3 million to lobby lawmakers last year, according to figures compiled by the Center for Responsive Politics. In fact, he says, House lawmakers were considering legislation the industry favored on Sept. 7: "On the day of the Equifax breach announcement, the House held hearings on not one, but two bills to weaken consumer protections over the credit bureaus'."

One of the measures would cap the amount of damages that consumers could be awarded in a lawsuit against the companies. Its sponsor, Rep. Barry Loudermilk, R-Ga., defended the bill at that hearing, saying it had been presented "that this is a credit bureau protection act. This is false. This is to protect consumers and all Americans."

Since the breach was revealed, Loudermilk issued a statement saying that "given the unfounded attacks on me and the rampant misinformation circulating about this legislation, the Financial Services Committee has not scheduled further action on any bill at this time."

He also said that Equifax must be "held accountable" for the breach. A member of the Financial Services Committee, Loudermilk said he would be part of an investigation into the breach and that work had begun on legislation to require credit bureaus and other companies to promptly notify consumers if their data is breached.

Several Democratic senators, led by Elizabeth Warren of Massachusetts, have sponsored a measure that would forbid credit bureaus from charging consumers to freeze or unfreeze access to their accounts. It would also require the companies to refund any fees they have charged for credit freezes after the Equifax breach.

A hundred and forty-three million. That is the number of Americans whose personal information may have been exposed in the recent data breach at Equifax. This led to a lawsuit against the company by the state of Massachusetts, an investigation by the Federal Trade Commission, also the promise of congressional hearings. It has also shown just how much clout the big three credit-reporting companies have in Washington. Here's NPR's Brian Naylor.

BRIAN NAYLOR, BYLINE: The credit-reporting companies have to comply with rules set by the Federal Trade Commission and the Consumer Financial Protection Bureau. They regulate how the companies can sell your financial data to other companies. But protecting that data is a kind of regulatory black hole. There is very little oversight, say, compared to banks. Rohit Chopra is a former assistant director of the Financial Protection Bureau.

ROHIT CHOPRA: The meltdown at Equifax should be a wake-up call to the public about the outsized role credit-reporting companies play in our lives even without our consent.

NAYLOR: Chopra, now with the Consumer Federation of America, says there are no rules protecting consumers' data or that require credit bureaus to immediately notify consumers in the event of a breach. It took Equifax some six weeks to reveal the hack and left it up to consumers to try to find out if their data had been stolen. Chopra says people have little control over their information.

CHOPRA: Credit bureaus make most of their money selling your information to financial companies, and in some ways you're not the customer, you're the product.

NAYLOR: And Ed Mierzwinski of the U.S. Public Interest Research Group says when it comes to choosing a credit bureau, consumers have no choice.

ED MIERZWINSKI: If you don't like AT&T or Verizon, you can go to T-Mobile to take your business elsewhere. You vote with your feet. You cannot vote with your feet with the credit bureau. You're stuck with them.

NAYLOR: Mierzwinski says the three credit bureaus have fought attempts to make them more transparent. The three companies Equifax, Experian and TransUnion spent nearly $3 billion to lobby lawmakers last year, according to figures compiled by the Center for Responsive Politics. In fact, he says, House lawmakers were considering legislation the industry favored on September 7th.

MIERZWINSKI: On the day of the Equifax breach announcement, the House was holding a hearing on not one but two bills to weaken consumer protections over the credit bureaus.

NAYLOR: One of the measures would cap the amount of damages that consumers could be awarded in a lawsuit against the companies. Its sponsor, Georgia Republican Barry Loudermilk, defended the bill at that hearing.

(SOUNDBITE OF ARCHIVED RECORDING)

BARRY LOUDERMILK: It's also been presented that this is a credit bureau protection act, and this is false. This is to protect consumers and all Americans.

NAYLOR: Since the breach was revealed, Loudermilk issued a statement decrying, quote, "unfounded attacks" on him and saying his committee has not scheduled further action on the measure. Brian Naylor, NPR News, Washington. Transcript provided by NPR, Copyright NPR.